[Politech] How to catch a scam-spammer [sp]

From: Declan McCullagh (declan@private)
Date: Mon Apr 05 2004 - 08:48:37 PDT

  • Next message: Declan McCullagh: "[Politech] Update on Internet wiretapping for phone calls [priv]"

    Also see:
    http://slashdot.org/articles/04/04/05/1256254.shtml?tid=111&tid=126&tid=133&tid=186
    
    -------- Original Message --------
    Subject: 	I fought the scammer... and I won.
    Date: 	Fri, 02 Apr 2004 21:54:30 +0100
    From: 	Steffen Higel <Steffen.Higel at cs.tcd.ie>
    To: 	John Allman <allmanj at houseofireland.com>,
    paulinemccaffrey at eircom.net, stevecash at ireland.com,
    tony.odonnel at cs.tcd.ie, declan.dagger at cs.tcd.ie,
    edwin.higel at brookside.ie, marynstanley at eircom.net,
    richard.bannister at cs.tcd.ie, oconnoat at tcd.ie, jean.higgins3 at 
    mail.dcu.ie
    
    
    
    [This is long, and is quite heavy on the technical discussion. Skip the
    bits you don't understand. It gets interesting.]
    
    I work for a busy Dublin Internet cafe, doing some sysadmining and
    general computer maintenance. On Sunday the 28th of March, I got a
    rather distressing email from a sysadmin in a large U.S. University.
    Spamcop had blacklisted our server's external IP address. Abuse mail for
    the server in question gets sent to my college account (bad practice, I
    know,  but it's a part time job). My college uses Spamcop as a blacklist
    source. You can probably tell what happened...
    
    Anyway, said email included the full headers of an email which was
    natted by our server pretending to be from the widow of Mr. Jonas
    Savimbi, offering the recipient a share of an unspecified large sum of
    money. The usual panicked thoughts kick in... "Have I fiddled with
    something which has left us as an open relay?", "Has our server been
    cracked?", "Have I been sleep-spamming again?". A more reasoned
    examination of the headers showed that the mail had originated from one
    of the IP addresses that we assign dynamically to people who bring
    laptops into the cafe. This is something of a nightmare for cafe
    operators, we can hardly block outbound smtp but then again it isn't
    possible for us to manually check every single mail either. Maybe rate
    limiting is a valid technical solution. Or a contraption which hits the
    user on the head for every mail they send. So if they send 1 an hour,
    it's a mild nuisance. But if they send 100 a minute, it'll probably kill
    them.
    
    A peek through the logs revealed:
    
    Mar 26 15:04:16 server dhcpd-2.2.x: DHCPDISCOVER from 00:40:f4:5d:aa:f7
    via eth1
    Mar 26 15:04:17 server dhcpd-2.2.x: DHCPOFFER on 192.168.1.70 to
    00:40:f4:5d:aa:f7 via eth1
    Mar 26 15:04:17 server dhcpd-2.2.x: DHCPREQUEST for 192.168.1.70 from
    00:40:f4:5d:aa:f7 via eth1
    Mar 26 15:04:17 server dhcpd-2.2.x: DHCPACK on 192.168.1.70 to
    00:40:f4:5d:aa:f7 via eth1
    Mar 26 15:04:20 server dhcpd-2.2.x: DHCPREQUEST for 192.168.1.70 from
    00:40:f4:5d:aa:f7 via eth1
    Mar 26 15:04:20 server dhcpd-2.2.x: DHCPACK on 192.168.1.70 to
    00:40:f4:5d:aa:f7 via eth1
    
    Bingo. I had something to work with. The network card is one based on a
    Cameo 32bit chipset. Matches up quite nicely with these:
    
    Return-Path: <mjsavimbi2000 at yahoo.co.uk>
    Received: from 192.168.1.70 (server.XXXXXX [XXXXXXX.29])
        byXXXXXXXXXXXXXXXXXX) with SMTP id i2QFrgi0002755
        for <XXXXXXXXXXXXXX>; Fri, 26 Mar 2004 10:53:44 -0500 (EST)
    Reply-To: "michelle savimbi" <mjsavimbi2000 at yahoo.co.uk>
    From: "michelle savimbi" <mjsavimbi2000 at yahoo.co.uk>
    To: <XXXXXXXXXXXXXXX>
    Subject: urgent response
    Date: Fri, 26 Mar 2004 15:53:26 +0000
    Organization:
    Mime-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_0034_01C221EC.6C64F7B0"
    X-Priority: 3 (Normal)
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2600.0000ams
    X-MimeOLE: Produced by Microsoft MimeOLE V6.00.2800.1165
    
    I asked around, and a man, described as being black (or is the word
    African-American these days?), roughly 30, with an accent which seemed
    half London and half African had been in the cafe with a laptop and had
    a number of visitors call into his booth and had been there at the given
    time.
    
    I hate spam more than I hate crackers. I hate spam more than I hate
    virus writers. I wanted to catch this guy in the act and I wanted to see
    him hauled off in a paddywagon. We contacted the police, who
    unfortunately didn't seem willing to do anything about it unless we
    caught someone in the act of doing something illegal. The daily staff in
    the cafe were instructed to let me know if said individual turned up
    again, though honestly, who could be that stupid? My hopes weren't high.
    
    Evidently, a 419er is that stupid. The very next Friday (2nd of April
    2004) he turned up again. I was on the bus at the time, just about to go
    in for another day of world altering research. I ran down as fast as I
    could and was told that he was on the second floor and hadn't plugged in
    yet because he wanted one particular booth which is somewhat secluded
    and was willing to wait.
    
    I sat myself down at a computer in another room, started tailing the
    daemon.log and waited for the telltale entries. I took a quick flick
    through the tcpdump manpage, just to make sure I didn't screw up. 20
    minutes later, it started to happen. He plugged in, and his Windows XP
    laptop started to blabber away. WindowsUpdate, Netbios, passport logins.
    Nothing much happened for a while. The odd DNS request here, the
    occasional search:
    
    GET /search.php?Keywords=male%20erection&p (I'm not messing!)
    
    on 64.21.81.131, which seems to belong to some direct marketing whorehouse.
    
    He logged into this as well: 66.180.174.12, which seems to be some sort
    of mail harvesting database. The login is done over SSL, so I can't find
    out more. If any militant anti-spam vigilantes want to get a good look
    at how these people organize themselves, that's probably a good place to
    start.
    
    Then, he spent a bit of time on http://www.emailspidereasy.com. Don't
    you just love the fake google-textads? He logged into mail.com next,
    using the email address kendoda at accountant.com. Whatever hash they use
    for passwords was aaka7zxkcNo. Then, he logged into his yahoo mail
    account. This was probably to check the account that in which he
    receives those mails. It looks like the rest happened over SSL.
    
    Then it started. The screen started showing an awful lot of smtp traffic
    heading out onto the net. I knew that I had to let it go, even if it
    meant another 48 hours of being blacklisted. If it meant he could be
    convicted of committing a crime, then I figured it was worth the price.
    I hope those who received the mail also feel that way. (sorry :-/)
    
    Before I phoned my contact in the Gardai, I had to make sure that he was
    actually sending out his vile wares. I scped the partial dumpfile onto
    my laptop, and opened it up in ethereal. Guess what?
    
    220 serverXXXXXXXXXX ESMTP Postfix
    HELO 192.168.1.70
    250 serverXXXXXXXXXX
    MAIL FROM:<mjsavimbi2000 at yahoo.co.uk>
    250 Ok
    RCPT TO:<poXXXXXXXXXXries.com>
    250 Ok
    DATA
    354 End data with <CR><LF>.<CR><LF>
    Reply-To: "michelle savimbi" <mjsavimbi200From: "michelle savimbi"
    <mjsavimbi2000 at yaSubject: urgent response
    Date: Fri, 2 Apr 2004 10:48:20 +0100
    Organization:
    Mime-Version: 1.0
    Content-Type: multipart/alternative; boundX-Priority: 3 (Normal)
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2X-MimeOLE: Produced by
    Microsoft MimeOLE V
    ------=_NextPart_000_0034_01C221EC.6C64F7BContent-Type: text/plain;
            charset="iso-8859-1"
    
    Dear Sir,
    
    I would like to introduce myself to you [....]
    
    [I've noticed that some characters are missing. This seems to be due to
    our server not being able to keep up]
    
    And on it went. To lots of people. 1178 of them. By that time, two
    Gardai had called in and wanted to wait until he had sent as many as he
    was going to. They seemed fairly convinced at that point that our friend
    was engaged in something less than honest. These weren't computer
    specialists, but they walked up, knocked on the window of the booth and
    introduced themselves.
    
    He asks them what the problem is and is told to step away from the
    computer. He doesn't seem too happy about this, but does so. He's asked
    his name and is told that he might like to come down for a chat in the
    local station. He says his wallet and ID are in the booth, so he walks
    in, rips a USB memory stick from the side of his laptop, tries to
    swallow it and makes a run for it. Detective number 1 grabs and tries to
    cuff him, detective 2 starts to do the same. A struggle ensues and goes
    on for a full 10 minutes, basically trying to pin him on the floor and
    then getting his arms behind so he can be handcuffed. Michelle agrees to
    co-operate on numerous occasions and each time tries to run to the booth
    to destroy whatever is on that machine.
    
    Eventually, 2 more gardai arrive and he's cuffed and brought out, crying
    like a little girl claiming police brutality (which is untrue, they
    would probably never have even formally arrested him if he hadn't
    attempted to run). Detective 1 was explaining to me how it's extremely
    difficult to restrain someone without hurting them. They could have had
    him subdued in about 10 seconds flat, but there have been instances in
    the past where a few gardai in this country have caused quite a bit of
    controversy with their liberal application of force. So this eyewitness
    applauds the superb work done by these gardai in a very difficult
    situation. 10 minutes of struggling with someone is pretty tough work.
    
    So he's carted off in a car back to the local station., where he'll get
    a cozy cell. Myself and detective 1 take a look at the equipment he
    had... A "mentor" network card (based on the cameo chipset), a badly
    chewed (but fairly undamaged looking) USB memory stick and a bulky
    laptop running Windows XP. Open on the screen is MS Word with the exact
    text of our beloved email and some bulk email program (the icon had a
    yellow background with a black @ symbol). His phone is ringing in his
    coat constantly. One of his many guests from his previous visit must
    want to talk to him.
    
    At one point, 3 guys who would appear to be of similar ethnic background
    want to come into the room where Michelle was working. They are told we
    are closed due to a technical problem. They were friendly and understood
    the situation and departed quickly enough.
    
    Some guys from the computer crime unit turn up, 3 of them. We have a
    good chat about what evidence I have on the guy. We look through my tcp
    trace, they same happy enough with what's there. They ask if I managed
    to sniff any other traffic, http and so forth. They're really hoping
    that they can get his email password, so with appropriate judicial
    permission (I assume) they can take a look at who has been mailing him.
    Yahoo are apparantly extremely uncooperative in this area. He seemed to
    be using a mail.com address as well. Proof that he is intending on
    scamming people out of money is what the gardai need. I'm not sure if
    it's illegal to pretend to be someone you aren't and offer a stranger
    money that you don't have. I'm guessing that with the tcpdump I gave
    them, their technicians will be able to get something out of it. I'm
    more interested in the contents of that USB stick.
    
    So anyway, that's my tale. Michelle has been charged with assault (he
    tore off detective 1's wrist watch) and is claiming that he can't speak
    any English. Given the potential scale of the scamming operation,
    detective 1 reckoned that they'd probably end up handing the evidence
    over to interpol or whoever works in Quantico (that's the FBI, right?).
    
    What have I learned? Firstly, digging up evidence on criminals is an
    exciting activity. Secondly, if you're an absentee sysadmin for an
    Internet cafe, transperantly proxy as much traffic as you can. The logs
    will prove useful if you are trying to track an abuser's traffic 24
    hours after they have left. I was lucky in this respect, I was proxying
    smtp and http to postfix and squid. The added headers in the mails makes
    things easier to track. Thirdly, there doesn't seem to be sufficient
    clarity among those employed in law enforcement concerning the
    legalities of spam. Hell, I don't know what the laws regarding this sort
    of thing are. I just know it sucks. Finally, it's a bit out there, but
    the gardai should forge closer links with the research community Among
    us, we have a whole lot of knowledge of just about every issue under the
    sun. We're mostly idealists, and those ideals include a spam-free
    Internet. And heck, we're cheap!
    
    Hope that provided some amusement. Forward it on to anyone who is
    interested. Really. I want to see it on the front page of slashdot and
    el reg within a week. And yes it really happened.
    
    ----- End forwarded message -----
    _______________________________________________
    Politech mailing list
    Archived at http://www.politechbot.com/
    Moderated by Declan McCullagh (http://www.mccullagh.org/)
    



    This archive was generated by hypermail 2b30 : Mon Apr 05 2004 - 08:52:21 PDT